It’s been a week since short links to crashsafari.com went viral, and Google has finally killed the most prevalent link (goo.gl/78uQHK).

More than three-quarters of a million clicks were made before the short link was disabled for violating Google’s Terms of Service.

But… other short links are still active. Though clicks are definitely on the decline.

Why are any of them still active? What is it about these viral links that might delay them from being disabled? Let’s take a closer look at the referrers.

Approximately 80% of the clicks are from “unknown” sources, the majority of clicks stripped the referrer. In this case unknown source very likely represents private messaging apps such as iMessage and WhatsApp. Both apps encrypt conversations from end-to-end.

And that means there’s nobody-in-the-middle to filter out bad links.

There is no iMessage client-side filter, and so there’s no opportunity to put automation in place which would automatically report abusive links to the appropriate short link service. And apparently, manual processes take about a week for Apple. Fortunately, crashsafari.com was only being shared as a prank.

The takeaway? Services such as Facebook and Twitter have visibility and thus the potential to curtail threats – but private messaging apps have a weak spot. Choose your friends carefully.

Let’s just hope that next time the would-be prank isn’t a worm waiting in the wings.

Many websites on the modern Internet have advertising content (ads) on their webpages. While some users find ads useful, many find it irrelevant, annoying or intrusive. Some ads even consume so much resources, they can cause undesirable drain on bandwidth and battery use, more notably on mobile devices. Worse, some ads can even lead to malicious content and other threats.

More about these and why blocking ads can enhance your browsing experience are discussed in this latest white paper on our AdBlocker [PDF] app for iOS.

It also causes various other browsers to hang or crash. Read more at Wired.

But here’s what I find curious…

Here’s an example of some Tweets using the Google short-link: /78uQHK.

They look “cross-platform” to me. There’s nothing about them which should tempt an iPhone owner more than an Android owner. And the same is true of the sizable majority of Facebook posts that I found using the same goo.gl link.

So it seems somewhat odd that of the nearly 500 thousand clicks the link has received (so far), only about 12.5% of them are coming from Android devices.

Since last year, we’ve been monitoring various redirectors which lead to exploit kits (EK). One of the redirectors in question routes to either Angler EK or Neutrino EK. SANS ISC has also observed this particular redirector switching between these two kits.

At the beginning of this year, we noticed a sudden significant drop in our telemetry for this redirector.

Interestingly, our Angler telemetry also dropped on the same day. Whereas Neutrino remained active. During that time, we noticed that Neutrino was served directly from compromised websites instead of via a redirector.

At first glance, it looked as if Angler took a vacation. Perhaps that is mostly true, but looking more closely at our telemetry, there was a very small group that remained active during their supposed time off.

Here are some of the instances that we see in our telemetry.

On January 11th, Angler activity started picking up again, while Neutrino activity slowly went down. There seems to be no apparent changes between the Angler EK seen before and after the break, which makes it look like they just took some vacation.

It is also interesting to note that Angler uses non-English words in generating their subdomains. The following are some Finnish words we’ve seen used by Angler in 2015 and 2016.

Tinba made its entrance into the malware scene a couple of years ago and at the moment, it stands as one of the most popular banking trojans out there. Amongst its noticeable features are the inclusion of preloaded configuration and the implementation of advanced encryption methods to increase its efficiency during operation and to reduce its chance of being dissected.

In this blog post, we’ll focus on the configuration data, specifically on how to extract the configuration data from process memory. The reason why we (and some of you out there) are interested in the configuration data is because this information could help us understand how it operates and who the targets are.

Cracking the XOR encryption

Tinba is known for its form-grabbing and web injection capabilities, which it uses to steal banking credentials from users who unknowingly visited compromised sites. It makes its way into a system mostly via spam emails and exploit kits.

Once downloaded, the form-grabbing and web injection configurations are stored on the disk, protected by XOR with a 4-byte key followed by RC4 and finally ApLib compression. The XOR key is the name of the folder where Tinba files are located, converted from strings to an integer. If no configuration files were downloaded, Tinba will resort to using the prebuilt configuration data from within its binary. This data uses the same encryption as the files minus the XOR encryption.

The XOR encryption is implemented to tie the configuration files to a particular machine. By using a combination of machine and botnet specific data as the XOR key, someone with no access to the infected machine would face a huge challenge in decrypting the files.

Decrypting the configuration files

However, decrypting the files might be unnecessary as Tinba’s method of hiding its configuration data is remarkably poor by modern standards. Both the form-grabbing data and web injection data are fully decrypted and decompressed to be stored permanently in the web browser memory. This is quite careless since other banking trojans tend to jealously guard their configuration data and will only decrypt the data as needed and then immediately wipe the decrypted data from memory once it is no longer needed.

Oversight in memory allocation?

To make matters even easier, Tinba’s author has coded the memory allocation for the configuration data very lazily. Instead of allocating only the necessary amount of memory for the specific data, the author decided to allocate a hard-coded amount of memory large enough to guarantee that any configuration data would fit. Consequently, the large 0x1400000 byte memory block stands out like a sore thumb in the web browser memory space. The form-grabbing configuration data is held at the beginning of the area while the web injection data can be located at the offset 0xa00000 within the area. Both blobs of data begin with the size of the configuration data.

As an example, the following is one entry for the web injection data received by this sample – 9c81cc2206c3fe742522bee0009a7864529652dd.

This sample indicates that the target is a banking institution in Poland.

Similarity to Zeus’ format

If Tinba’s configuration data looks eerily similar to you, it is because it follows the same format used by Zeus and many other malware families. The format has apparently turned into a bit of an industry standard for crimeware because it enables the same malicious web injections to be used on different botnets.

It would be interesting to find out how different malware authors ended up using the same format for their malware’s configuration data. We can assume that the web injection data is not developed by the botnet owner but bought from a third party. If that’s the case, agreeing on a certain configuration format would require cooperation between multiple web injection developers with multiple malware developers. Perhaps it just happens organically because a few years ago Zeus had such a large market share that it make sense for other authors to use the same format to make web-injection procurement easier for customers.

Apple iOS has excellent “parental control” options. But really, OS restrictions shouldn’t be limited to parental units. If you run as a limited user on your computer, then you should do the same on your mobile device. So here’s an iOS tip from our Cyber Security Services that Tomi Tuominen shared with me recently.

Use restrictions. Go to: Settings > General > Restrictions. Enable restrictions and set a passcode.

And to start: set Accounts to “Don’t Allow Changes”.

I also prefer to restrict “Background App Refresh” changes to ensure that newly installed apps cannot run in the background until I explicitly allow them to do so.

And here’s your opportunity: F-Secure will cover the costs for 2 to 3 people, from anywhere in the world. But time is limited, the event is Wednesday of next week. So don’t delay, act now, contact Sami Lappeteläinen and tell him why you should be chosen to participate.

Available from F-Secure GitHub: SEE Introduction: Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments. Plugins can be added to a Test Environment […]

I’ve been doing some password research and was recently reminded of this iOS 9 feature. Apple: “The default for passcodes on your Touch ID–enabled iPhone and iPad is now six digits instead of four. If you use Touch ID, it’s a change you’ll hardly notice. But with one million possible combinations — instead of 10,000 […]

We noticed an unusual spike in “Flash redirector” detection hits during October. The source was compromised websites. The compromised websites had an injected code which loaded a malicious flash object that attempted to redirect users to the Angler exploit kit. This flash redirector is not a new thing. It was written about by MalwareBytes a […]

In the era of APT’s, it feels like something is amiss when there is a forum of governments and no malware arises. But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint. A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre (ARC) was compromised. Malicious code was appended […]

Artturi Lehtiö, a researcher on our Threat Intelligence team, recently presented a paper on abusing third-party web services as C&C channels at VB2015. Here’s the abstract: A secure, reliable and undetectable method of communicating with and controlling malware is essential for modern malware operations. But designing, implementing and maintaining your own communication infrastructure isn’t an […]

How F-Secure Labs handles customer data is of the utmost importance for those of us who work here. We would therefore like to invite you to read our latest white paper which details our back end technology a.k.a. “Security Cloud” [PDF]. The paper explains the purpose, function and benefits of our technology and explains the […]

There’s a new crypto-ransom scheme currently in-the-wild targeting Linux-based systems. It’s called “Linux.Encoder.1” by the folks at Dr.Web. Basically, instead of setting up phishing sites or exploit kit redirects on vulnerable web-servers, the Linux.Encoder.1 extortionists are targeting the web-server owners directly by encrypting their content. As a consequence, Google is indexing numerous victims. Google finds […]

Over the weekend, PageFair, a counter ad-block solutions provider, was compromised via a spearphishing attack. The attackers performed a password reset which gave them access to PageFair’s account on a Content Distribution Network (CDN) service. The attackers then replaced PageFair’s Javascript to a malicious one: This is what was shown to visitors of websites that used this PageFair service: […]